CyberWire Daily - How are we doing in the industrial sector? [Research Saturday]
Episode Date: March 27, 2021Guest Sergio Caltagirone from Dragos joins us to take us through their 2020 ICS Cybersecurity Year in Review report. Dragos's annual ICS Year in Review provides an overview and analysis of ICS vulnera...bilities, global threat activity targeting industrial environments, and industry trends and observations gathered from customer engagements worldwide. The goal of the report is to give asset owners and operators proactive, actionable information and defensive recommendations in order to prepare for and combat the world’s most significant industrial cybersecurity adversaries. The report can be found here: 2020 ICS CYBERSECURITY YEAR IN REVIEW Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers
and analysts tracking down threats and vulnerabilities, solving some of the hard
problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And so, you know, it was really a good opportunity to step back and ask the question, what's changed?
But more importantly, also, I think that's important is what hasn't changed?
That's Sergio Caltagirani. He's vice president of threat intelligence at Dragos.
Today, we're discussing their 2020 ICS and OT cybersecuritysecurity Year in Review.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise
by an 18% year-over-year increase
in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools
expand your attack surface
with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We've been doing this report for three years now.
Obviously, Dragos has been around for four and a half years.
And, you know, really one thing we've always looked at is other vendors and other members of the community who have been able to put together real data points about cybersecurity. And I think that we all, you know, in this space,
we all have all of these anecdotes about stuff happening. And that's great, but it doesn't,
anecdotes don't make good policy. And I think that's true almost everywhere. And what Dragos
really wanted to do was say, hey, look, ICS and operational technology,
the systems that run our power, our water, our food manufacturing plants, and they keep us safe
and healthy, and they produce drugs in pharmaceutical factories and so forth. We need data about that,
too. It's not just about email systems being compromised or web browsers, or zero days affecting your Zoom or whatever.
It's really about how are we doing in the industrial sector specifically,
because it is a very unique one.
And so every year now we've done a report, and it's a bear, man.
I got to tell you, it's one of the hardest things I do,
because it takes so much work to really pull apart.
After a whole years of work,
it's hard to pull apart, like, you know, and step back
after you're like, you know, you fight fires every day
and you step back and you're like,
okay, what really happened this last year?
Of course, 2020 being unique in that we have
all these other global events
that have been placed on top of us as well.
And so, you know, it was really a good opportunity
to step back and ask the question, what's changed?
But more importantly, also, I think that's important is what hasn't changed and what needs to change.
And so that's why we put this together and we really try to make it data driven.
All right. Well, let's let's use that as our point of departure then.
I mean, what are the things that you tracked in terms of what changed and what didn't change?
Yeah. You know, and I love to say that our 2020 year in report is awesome.
But more importantly, it's how you put the reports together
and also how you look at them in terms of, you know,
comparison to other reports in the industry
to get a better sense of, like I said,
the strategic cybersecurity picture for industrial.
You know, for us, we have been tracking threats, we've been tracking vulnerabilities,
and then we also have been tracking our engagements.
So when we show up on site at a customer environment,
the question is, well, what did we find? What didn't we find?
What was available to the defenders? What wasn't?
What worked and what didn't? Basically to help all of us
kind of get better at understanding what's going on in the world, what's happening with our systems and the vulnerability
space. And then ultimately, when bad things happen, what's going on when we get there.
And so really, we break the report down into those three steps, because all three of those
steps are necessary for bad stuff to happen. You got to have a bad person out there doing things,
you got to have some way for them to do it, a vulnerability. And then finally,
you have to have defenders who were unable to defend their systems effectively.
And so all three of those are kind of part of the picture of creating a defensible
industrial control environment. Fundamentally, so in the threat space,
it's really important to recognize that we've only been looking at industrial threats directly
and focused on for the last four, four and a half to five years. And what we found is that
over that period of time, the threat landscape is growing. That's an easy thing. Everybody in
the cybersecurity community says that, by the way. So, you know, that statement alone shouldn't
cause any issues. But what's really important to realize is that we're growing at about a 3x rate.
And so we are tripling our threats.
For every threat that seems to kind of go quiet, we're getting three new ones.
And for us, that's really, really important.
And we're just sitting at the tip of this iceberg because 10 years ago, you know, when Stuxnet came out and
everyone was like, whoa, what just happened here? And everyone looked around at everyone else and
was like, is this something different? Is this, you know, does this matter? All of the major
adversaries in the world started putting money and resources into this problem. Like, hey, well,
if somebody can take down our manufacturing systems, we should be able to take down theirs.
like, hey, well, if somebody can take down our manufacturing systems, we should be able to take down theirs.
What we found is this 3x shows perfectly that 10 years ago, people really started investing.
And it takes five to seven years for an investment in a new attack surface to really bore results. And so what we found is this year we added four new dedicated ICS attack groups
to our inventory. And that's really impressive for a single year, especially for one where we're
really just looking at the beginnings of this. The second area is vulnerabilities. And this is
one where we've really focused on our vulnerabilities being captured accurately.
And do people have the information necessary to understand them?
There's thousands of vulnerabilities in the world, Dave.
What are we going to, you know, how can an asset owner understand which ones they need to patch today?
Obviously, you know, they're like, oh, well, let's look at what people have written about it.
You know, the governments or whatever, we found that in 70% of the cases, the publicly available information about industrial
vulnerabilities under-reported the severity of that vulnerability, which means that in most cases,
asset owners were not operating on accurate information when it came to which vulnerabilities
they needed to address in their environment. In addition to that, 30% of the vulnerabilities that were publicly reported in 2020 were wrong
for industrial.
And that, again, is another point to say vulnerability analysis in the industrial space is very poor.
And so there's a lot of work that has to get done so that, you know, when we do patch these
systems, some of these industrial environments only go down once or twice a year. Some only go down once or twice every decade.
When they have the chance to really get in there and clean and patch and do all of this,
what are the ones they're going to work on? Well, they need good information to decide that.
And the last thing that really kind of jumped out at us was that in 90% of the cases where
a customer calls us and says,
hey, there's a bad thing happening. Can you come help? 90% of those cases, Dave,
there was no data available to help. And that continuously shows, and that's not a change,
that continuously shows how this really fundamentally has our visibility into the
industrial landscape has not yet fundamentally evolved. We're getting
better, but still there's too many industrial environments that are having cybersecurity
problems and they just can't see them. And of course, the rule is if you can't see it,
you can't protect it. And so we really need to get better there. So I think in all of those
three areas, we're showing that it's really getting worse, but there are huge opportunities for us to do small things to get better.
Help me understand the spectrum between the number of folks who are coming at these systems,
the bad guys targeting ICS environments, but also the amount that folks are now looking at them,
are looking for those bad guys to be coming.
You follow me here?
Like how much of this is actually an increase in attacks
and how much of it is that
we're actually looking for them now?
Oh, Dave, you're going right after my heart here.
So that's called visibility bias
in intelligence analysis, right?
So sometimes you can, well, first of all,
I like to say that visibility is king of intelligence, right? Because you you can, well, first of all, I like to say that
visibility is king of intelligence, right? Because you can only know what you can see.
And so we, again, we only know what we can see. And the fact is that the answer is yes,
Dragos has changed for a lot of people in a way that we are looking specifically for things that
people weren't looking for before. So the answer is we are absolutely going to find things that were around. Now, what's important to realize is that we try our hardest to balance that
bias with external data sources that can give us an insight as to when this threat began.
And so what we try to do is measure not just is there a threat, but what is the earliest timeline
of that threat?
So that then, yes, we can answer that question better as to when did this start?
Was this new or did this like Xenotime, like one of the threats we tracked,
we have evidence of them going all the way back to 2014 and we found them in 2017.
And so, yes, but in the cases of this year, most of the threats that we're finding are new.
From the visibility that we have, we're able to confirm that, yes, these are threats that have just begun in the last year to two years.
In terms of how we take action based on the information that you all have gathered here, to what degree are we behind?
here. To what degree are we behind? Is this a Manhattan Project kind of thing where, you know,
we've got to get all hands on deck and work on this? Or is there a more deliberate sort of, you know, rational kind of slow thing where we can plan and say, okay, you know, over the next X
number of years, we are going to get to this point as a nation? Yeah, that's a great question.
And I want also to recognize that this isn't a U.S. problem, right?
That this affects, you know, 7 billion people worldwide who use industrial control systems for reliable power and clean water and so forth.
So, you know, this is a global issue.
You know, this is a global issue.
And when attackers attack a system in, say, India, and they affect an industrial control system there, they're learning how they attack industrial control systems elsewhere.
So you see that very traditional threat proliferation problem.
And so that's why we treat this as a, you know, we very much treat this as a global issue. I think what we've seen is especially with, say, the water treatment facility in Oldsmar,
Florida, and with other incidents that happened last year and over the last couple of years,
I think we're seeing increased urgency. Four years ago, Dave, when I think you and I first talked,
this was very much a, hey, things aren't bad, you know, not bad yet. They're going to get worse. We can kind of see that, you know, we have time.
I think that that clock is running out on us.
And I think that we're not getting better fast enough.
And I think the answer is that we are getting left behind.
We had the opportunities, you know, four or five years ago to get better
when we knew this was going to be a problem.
And I think that we're not yet seeing the amount of acceleration to protect these environments that we should have. And my
concern is that this is slowly turning from a, hey, you know, we can do this, it can be methodical,
it can be improved, we can get better. And I've got to say over the next three to four years,
this is going to turn into a Manhattan Project. And we are in a very important situation where we know what we need to do. There is no question
that water treatment plants need to be protected. The answer is going to be, what do we do about it?
And the answer is, it's coming, right? It's here and it's going to come even more. It's going to
come more often. So the answer is we need, first of all, Dave, the answer is visibility, visibility, visibility.
I've hit it several times in this podcast so far.
If you can't see it, you can't protect it.
And so with that 90% statistic of most organizations don't even have the basic data to protect themselves, we have to start there.
to start there. And if we don't start there, when we have an old SMAR, we're going to get stuck in the same situation of something bad happened, but we don't entirely know what or how or when or so
forth. And we need to get better at doing that. And that is our first step to understanding the
adversaries and then to lay the foundation of greater defensive action as we move forth.
Forgive the naivety of my question here
and nerding out a little bit,
but is there an element where market pressures
can tend to outstrip the security realities?
And what I'm thinking of is, you know,
somebody has a pump sitting out in the middle of nowhere
and that pump needs to be monitored. And, you know, time was perhaps, you know, somebody has a pump sitting out in the middle of nowhere, and that pump needs to be monitored.
And, you know, time was perhaps, you know,
we sent a couple of folks out on some interval,
and they went and they took measurements on that pump
and made sure that pump was working.
Well, now that pump is remotely monitored.
You know, the miracle of 5G has allowed us to remotely monitor that pump, right?
Right.
And has the fact that we're not actually sending real human beings out there,
we're trusting the data stream that's coming from whatever monitors we put on that pump,
are we kind of, to mix metaphors, are we outkicking our coverage?
Oh, that is a great question, David. It's not naive at all. This is actually wonderful.
In fact, this brings me to one of my favorite facts about industrial control systems.
In fact, this brings me to one of my favorite facts about industrial control systems.
One of the reasons why rural telephone networks were legislated to exist inside the United States was because of the need to manage electricity over long distances.
And so, in fact, one of the earliest uses of rural telephone lines was to manage remote electrical stations.
And so in the industrial space, we are in no way, shape, or form,
you know, afraid of remote or distance issues.
In fact, it's pretty much baked into most ways we think about industrial.
And the key element is that the adversaries right now, yes,
will we potentially have to question our monitoring systems and things and our sensors?
Yes, we will probably have to do so.
But just like in the land of IT, the adversaries are still such that they don't really care if they got caught. It doesn't really harm them fundamentally.
They're doing a little bit of
log manipulation and things like that in IT, but not really. It's still funny how much data you
get about them when you have the data. And I think so for us, it's a great question, but I think that
is a question that we should be hopefully addressing in 10 years, not this year. That is a
future issue. And I think we still have
to get to the, can we see it before we get to the question of, can we trust the data that we see?
Well, I mean, big picture take-homes, what do you hope people walk away with after they've
read the report? One is that there should be public pressure generally on public policymakers to improve the cybersecurity systems of public utilities.
That has to be a critical element of what we do.
In addition to that, private entities need to recognize the raw data here and say, okay, if we have a major incident, in 90% of the cases, we will have no idea what just
happened. And that is not okay if you want to be able to bring a plant back up online safely.
And so I think both from a market pressure, from downtimes and industrial operations,
stoppages and so forth, and disruptions, all the way back to the public utilities need to
be protected, or we need to have reliable and safe electricity and drinking water and so
forth? I think we need pressure on both sides to make industrial systems better.
And so I think that there's a role for everybody.
There's a role for people reading this report and listening to you who are
like, yeah, I've never touched her. I don't even know about industrial systems.
Well, you know what?
Call your public utility commission and say, what are we doing about this? Talk to your legislators. Talk to
your local governments. Talk to people who have control over this happening for your communities.
You don't want to be in Oldsmar, Florida. And in addition to that, the company leaders
who are listening to this need to start looking at the data and say, wow, we have an industrial environment and this is coming at us like a freight train.
We should probably do something about it now.
So I think there's something in this report for everyone to take away and do something.
Our thanks to Sergio Caldigeroni from Dragos for joining us. We were discussing their 2020 ICS and OT cybersecurity trends year in review.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Peru Prakash,
Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.